System, method, and computer program product for comparing an object with object enumeration results to identify an anomaly that at least potentially indicates unwanted activity
First Claim
Patent Images
1. A method for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, comprising:
- identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events;
determining whether the object has been unlinked or deleted;
if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included;
if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked;
if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration;
if the object has been unlinked or deleted, preventing the comparing step;
identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and
initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity.
10 Assignments
0 Petitions
Accused Products
Abstract
A system, method, and computer program product are provided for comparing an object with object enumeration results to identify at least potentially unwanted activity. In use, a change in a state of an object is identified. Additionally, the object is compared with results of an object enumeration. Further, at least potentially unwanted activity is identified based on the comparison.
-
Citations
16 Claims
-
1. A method for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, comprising:
-
identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events; determining whether the object has been unlinked or deleted; if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included; if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked; if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration; if the object has been unlinked or deleted, preventing the comparing step; identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product embodied on a non-transitory computer readable medium for performing operations for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, the operations comprising:
-
identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events; determining whether the object has been unlinked or deleted; if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included; if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked; if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration provided by a kernel enumeration interface that utilizes a directory in which the object is expected to be included; if the object has been unlinked or deleted, preventing the comparing step; identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity.
-
-
15. A system for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, the system comprising:
a processor, wherein the system is configured for; identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events; determining whether the object has been unlinked or deleted; if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included; if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked; if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration; if the object has been unlinked or deleted, preventing the comparing step; identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity. - View Dependent Claims (16)
Specification